CODEWITHSUNDEEP
keycloakaccess-tokenrefresh-token
Antonis S
Antonis S

Reputation: 773

Keycloak admin REST API - create new access token with refresh token without recreating a refresh token

I am trying to use Keycloak admin REST API to recreate an access token when I have a valid refresh token.

I have accomplished that, by invoking with POST /auth/realms/{realm}/protocol/openid-connect/token.

The problem is that the endpoint also returns a new refresh token each time. Is this the way a JWT authorisation flow should work?

I think the correct flow would be to only get a new access token when the auth endpoint is invoked, and when the refresh token expires, to sign in again to acquire a new refresh token; Not to get a new refresh token each time we query for a new access token.

I have also read this stack overflow post. Am I missing something here? You may find a pic with the request below: enter image description here

Upvotes: 4

Views: 3618

Answers (2)

Tore Nestenius
Tore Nestenius

Reputation: 19931

Using one-time refresh token is a modern best practice, because that allows the authorization server to kick out the user if the same refresh token is used twice.

How can that happen? well for example if the refresh token is stolen, then the hacker and your application will both try to use it! Otherwise it is a bit harder to detect hackers in the system

Upvotes: 2

Markus
Markus

Reputation: 1485

First of all you mix up two things. Open ID Connect Authentication with JWT and Oauth authorization tokens and refresh tokens.

This are two different objects. You will get a new OAuth refresh token each time you obtain an access token. This is the way OAuth grants you a "endless session" but with the option to deny a new access token at any try of exchange.

Also see from RFC https://datatracker.ietf.org/doc/html/rfc6749#section-1.5

  +--------+                                           +---------------+
  |        |--(A)------- Authorization Grant --------->|               |
  |        |                                           |               |
  |        |<-(B)----------- Access Token -------------|               |
  |        |               & Refresh Token             |               |
  |        |                                           |               |
  |        |                            +----------+   |               |
  |        |--(C)---- Access Token ---->|          |   |               |
  |        |                            |          |   |               |
  |        |<-(D)- Protected Resource --| Resource |   | Authorization |
  | Client |                            |  Server  |   |     Server    |
  |        |--(E)---- Access Token ---->|          |   |               |
  |        |                            |          |   |               |
  |        |<-(F)- Invalid Token Error -|          |   |               |
  |        |                            +----------+   |               |
  |        |                                           |               |
  |        |--(G)----------- Refresh Token ----------->|               |
  |        |                                           |               |
  |        |<-(H)----------- Access Token -------------|               |
  +--------+           & Optional Refresh Token        +---------------+

               Figure 2: Refreshing an Expired Access Token

Upvotes: 0

Related Questions